RE: Another ACL question ...

[Anthony Brock <abrock@georgefox.edu>]

At 05:28 PM 02/06/2002 -0800, you wrote:
> >> 1) directly reference the SASL user id in ACLs, and that it is
> >> not planned
> >> for implementation.
>
> There's nothing stopping you from defining ACLs that reference a SASL DN
> directly:
>    access to xyzzy by dn="uid=plugh + realm=plover"
> will work fine in the released code.

Is there a way to insert the SASL returned DN? I know I can hard code the 
id, but how do I directly reference the id returned from the client bind?

> Additionally, the code in HEAD allows configuration of regexp patterns to
> map SASL DNs (as described above) to LDAP DNs (like your
> uid=abrock,dc=...).

I will play with this in the next couple weeks ... it sound promising.

> Try using "sasl-realm" in your slapd.conf to define a default realm.
> Ordinarily this shouldn't even be needed since a properly configured SASL
> installation should be able to extract the Kerberos realm name on its own.

This is interesting! So far, I have added NO configuration to SASL since I 
have not been able to find any documentation on the use of SASL with 
Kerberos (I have been browsing their site, mailing archives and docs for 
several weeks). From what I can tell, my guess is that SASL "magically" 
figures everything out from the krb5.conf file.

Also, I have sasl-realm defined in the slapd.conf file. Can you supply an 
example of a working SASL configuration file for Kerberos?

Thanks!

Tony


******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************